This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new c1f35e00ac [#6871] fix(server,authn): Fix use catalog and show
databases failed with krb cluster for iceberg issue (#6873)
c1f35e00ac is described below
commit c1f35e00ac25bcfeb4f50ab638549ed6fb566167
Author: gavin.wang <[email protected]>
AuthorDate: Tue Apr 15 10:15:28 2025 +0800
[#6871] fix(server,authn): Fix use catalog and show databases failed
with krb cluster for iceberg issue (#6873)
### What changes were proposed in this pull request?
Fix use catalog and show databases failed with krb cluster for iceberg
issue
### Why are the changes needed?
Fix: #6871
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
local test.
steps:
1、curl -X POST -H "Accept: application/vnd.gravitino.v1+json"
-H "Content-Type: application/json" -d '{
"name": "iceberg_catalog",
"type": "RELATIONAL",
"comment": "iceberg catalog",
"provider": "lakehouse-iceberg",
"properties": {
"catalog-backend": "hive",
"warehouse": "/pathforhivetest",
"uri": "thrift://HMS HOST:9083",
"gravitino.bypass.hadoop.security.authentication": "kerberos",
"gravitino.bypass.hive.metastore.sasl.enabled": "true",
"gravitino.bypass.hive.metastore.kerberos.principal": "hive/HMS
HOST@REALM",
"authentication.kerberos.keytab-uri": "PATH OF KEYTAB",
"authentication.kerberos.principal": "hive/HOST INSATANCE@REALM",
"authentication.type": "kerberos",
"authentication.impersonation-enable": true
}
}' http://localhost:8090/api/metalakes/dev_metalake/catalogs
2、
spark-sql -v --conf
spark.plugins="org.apache.gravitino.spark.connector.plugin.GravitinoSparkPlugin"
--conf spark.sql.gravitino.uri=http://localhost:8090/ --conf
spark.sql.gravitino.metalake=dev_metalake --conf
spark.sql.gravitino.enableIcebergSupport=true --conf
spark.sql.warehouse.dir=xxxx --conf
spark.sql.gravitino.authType=kerberos --conf
spark.kerberos.principal=user1/[[email protected]](mailto:[email protected])
spark.kerberos.keytab=/user1.keytab
3、use iceberg_catalog;show database
---
.../common/authentication/kerberos/HiveBackendProxy.java | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git
a/iceberg/iceberg-common/src/main/java/org/apache/gravitino/iceberg/common/authentication/kerberos/HiveBackendProxy.java
b/iceberg/iceberg-common/src/main/java/org/apache/gravitino/iceberg/common/authentication/kerberos/HiveBackendProxy.java
index 5ff6f07a5e..4278756c96 100644
---
a/iceberg/iceberg-common/src/main/java/org/apache/gravitino/iceberg/common/authentication/kerberos/HiveBackendProxy.java
+++
b/iceberg/iceberg-common/src/main/java/org/apache/gravitino/iceberg/common/authentication/kerberos/HiveBackendProxy.java
@@ -73,21 +73,19 @@ public class HiveBackendProxy implements MethodInterceptor {
@Override
public Object intercept(Object o, Method method, Object[] objects,
MethodProxy methodProxy)
throws Throwable {
-
+ final String finalPrincipalName;
String proxyKerberosPrincipalName =
PrincipalUtils.getCurrentPrincipal().getName();
if (!proxyKerberosPrincipalName.contains("@")) {
- proxyKerberosPrincipalName =
- String.format("%s@%s", proxyKerberosPrincipalName, kerberosRealm);
+ finalPrincipalName = String.format("%s@%s", proxyKerberosPrincipalName,
kerberosRealm);
+ } else {
+ finalPrincipalName = proxyKerberosPrincipalName;
}
-
UserGroupInformation realUser =
- UserGroupInformation.createProxyUser(proxyKerberosPrincipalName,
proxyUser);
+ UserGroupInformation.createProxyUser(finalPrincipalName, proxyUser);
String token =
newClientPool.run(
- client ->
- client.getDelegationToken(
- PrincipalUtils.getCurrentPrincipal().getName(),
proxyUser.getShortUserName()));
+ client -> client.getDelegationToken(finalPrincipalName,
proxyUser.getShortUserName()));
Token<DelegationTokenIdentifier> delegationToken = new Token<>();
delegationToken.decodeFromUrlString(token);
